The State of Data Protection in Asia
In August, India passed a comprehensive data protection law, the Digital Personal Data Protection Act. As the world's most populous country and its biggest democracy, the DPDP is perhaps the most important data protection law to pass in 2023.
With much of the focus in recent years on whether the United States will finally pass a comprehensive national data privacy law, other regions of the globe have stepped up to carry the baton as data rights become more central to the nature of the internet itself. In particular, Asia, or more specifically the APAC region, has surged, seeing many of its biggest economies pass data protection regulation over the past 24 months.
Asian Data Protection Laws & Approaches
Similar to India, Vietnam also passed a data privacy law this year, following Indonesia and Sri Lanka, both of which passed comprehensive laws in 2022. With China passing PIPL in 2021 and other notable Asian economies like Japan amending laws to more closely align with GDPR standards, Asia has near full investment in data privacy going forward.
Similar to Brazil’s LGPD and California’s CCPA, the GDPR served as inspiration for some Asian data protection laws. Much of this new regulation--including India's--grants citizens and those within the country data rights, along with requiring things like extraterritorial processing in certain circumstances as well as consumer notices for major events like data breaches.
That is not to say that all of these regulations are similar. Compared to the minor differences we’re seeing between state-level laws within the United States, comparing China’s PIPL to India’s DPDP is a night and day comparison.
One of the major reasons why is because PIPL contains data sovereignty and data localization clauses. These clauses essentially state that in most circumstances, data needs to reside within China, as all data processed within the country is subject to China’s sovereign rule. This curbs the free flow of data in the global economy and according to critics of data localization, could create a segmented internet if strictly enforced.
Vietnam’s law, Decree No. 13/2023/ND on the Protection of Personal Data, also features data localization clauses. This worried some that the APAC region would more universally embrace these principles, but many of these bills, including India's and Thailand's, have opted not to include data localization provisions.
This is a victory for increased data transparency and protected international data flows, and sets the stage for easier entry into these fast-growing markets while still respecting the public's data rights and acknowledging corporate obligations to handle data responsibly. That doubles the laws’ effectiveness, as Asian lawmakers have viewed passing data protection regulation as a table setter for growth within the region.
In any case, as APAC markets continue to grow and increase their appeal to international companies, the region's embrace of data privacy will be a boon and likely will help set the stage for other global markets to follow suit. If you aren’t paying attention to the happenings around data privacy in Asia, now is the time to start.
Here is a quick rundown of the major Asian data protection laws that have passed since 2020 (Thailand passed its law, the Personal Data Protection Act [PDPA] in 2019).:
JAPAN
Japan’s Act on the Protection of Personal Information (APPI) was initially passed in 2003, one of the first Asian data protection laws. The Japanese Parliament amended the law in late 2015 to reflect new requirements around data breach security and notifications, but has maintained an eye on data privacy since.
That led to another recent amendment to APPI in mid-2022, which was highlighted by the following changes/tweaks:
- The scope of APPI has increased, with the latest changes implying that any business handling personal data of Japanese individuals, even if not located in Japan, is subject to the law.
- Businesses must now receive opt-in consent from individuals or establish a protective system before transferring personal data outside Japan.
- APPI has a new category of sensitive data, called "special care-required personal information," which focuses on data such as sexual orientation, religion, race, health status, etc., that could lead to discrimination. Like GDPR, companies will need prior consent to collect or use this data.
- Another new category of information is Personal Related Information, which includes data related to an individual but not strictly personal, such as cookies and IP addresses. Collecting this data requires a privacy policy but not opt-in consent, essentially meaning a slight change to cookie banners.
- Companies must now report data breaches to the Personal Information Protection Commission, if it involves any sensitive data, was unjustly collected, or affects more than 1,000 individuals.
- Penalties: The updated law introduces higher penalties for fraudulent data leaks or misuse by employees, with a maximum business fine of $930,000.
CHINA
China passed and introduced the Personal Information Protection Law in late 2021, introducing a comprehensive data protection law to supersede the complex web of laws that previously governed data privacy within the country. PIPL has been in effect since November 1, 2021.
Of all the Asian data protection laws to pass since 2020, PIPL is arguably the least similar to GDPR even while sharing many similarities.
Individuals do have a set of data rights including rights to access, correct, delete, and port their data, but the overall text of PIPL is less focused on the progressivism of data rights and responsible corporate data handling and more on the regulatory aspect of data protection.
PIPL highlights include:
- Personal Information (PI) is defined as any recorded data related to an identifiable person in China, excluding irreversible anonymized information.
- Sensitive Personal Information (SPI), which is defined as information that could cause harm if misused, such as biometrics, has additional limitations and protections
- Personal Information processed for personal/family matters is exempt
- Data may be transferred abroad in some cases, but data localization clauses require various data to be stored within China
- Targeted ads and automated decision making must provide opt-outs
- Organizations must appoint a DPO, conduct regular audits and DPIAs, and notify the relevant authorities about data breaches
INDONESIA
The Personal Data Protection Law of Indonesia passed in late 2022, the first comprehensive law of its kind within the nation. It governs both digital and non-digital data, a stark difference to India’s DPDP, which only covers digital data.
There is currently a two-year transition period, with the law entering into effect in October 2024. The PDP Law is relatively standard compared to other international data privacy laws, borrowing significantly from the GDPR.
- Individuals within Indonesia have a full set of data rights, including the private right of action
- PDP Law allows for cross border data transfers
- Company requirements like running DPIAs and appointing a DPO
- Violations carry monetary penalties but also possible penalties such as imprisonment of 4-6 years, seizure of profits, payment of damages, and other sanctions against corporations
- The creation of a Data Protection Authority to oversee enforcement
- Sector-specific regulations
- Telecommunications: Unauthorized tapping is prohibited and transmitted information must remain confidential
- Public Information: Public bodies cannot freely disclose personal information such as medical history, financial records, etc.
- Banking and Capital Markets: The transfer of customer data by banks outside Indonesia requires prior approval from the Indonesian Financial Services Authority.
VIETNAM
Vietnam’s Decree No. 13/2023/ND on the Protection of Personal Data passed in 2023 with an immediate effective date of July 1, 2023. This followed two years of public consultations and government negotiation as to the final version of the law.
Similar to China, Vietnam’s regulation has data localization clauses in place. Both Vietnamese and foreign corporations must comply with the law, and data transfers abroad can only be done after receiving consent from the individual and completing an impact assessment and submitting it to the Ministry of Public Security. For international corporations, that could mean frequent DPIAs as data is transferred globally.
Beyond the data localization and sovereignty principles, the Decree contains the following:
- Differentiations between Personal Data and Sensitive Personal Data, although it does not contain separate handling mandates
- Data Subject Rights: Right to know, consent, access (within 72 hours), correct, withdraw consent, delete, restrict, object, and claim damages.
- Consent must be explicit and verifiable, and silence/non-response does not indicate consent. Consent and privacy notices should be transparent and clear about data processing implications.
- Data breaches must be reported to the Ministry of Public Security within 72 hours.
- Loosely-defined requirements for Data Subjects to protect their own data (which makes Vietnam the only country besides India to impose duties on individuals, even if sparsely explained)
INDIA
India’s DPDP is the newest entry to Asian data protection laws, just passing in August 2023. The regulation caps off a six-year journey for the country to pass a comprehensive data protection regulation, and although the bill had its opponents, marks a major moment for both India and data privacy.
You can check out a full breakdown of the DPDP here. Aside from unique language not seen in other global regulations (abandoning preset terms like data subject and data controller) and the fact that it only covers digital information, here are the DPDP’s highlights:
- Covers both public and private entities equally, as well as foreigners within India.
- Does not restrict international data flows.
- Data rights include right to access, correction, erasure, withdraw consent, grievance redressal, and nominate a proxy.
- Several GDPR-like rights, such as data portability, are missing.
- Protections against targeted advertising are extended only to children (under 18).
- Compliance requirements include independent audits and occasional DPIAs
- Fines for noncompliance range from $120 USD to about $30 million USD.